Phishing 101: Part 1

This week, there is a lot of media hype over emails being sent to users of the Royal Bank of Scotland and NatWest because of severe IT issues making it impossible for users to access their accounts online. The emails offer users the ability to log-in to their accounts and provide a link to the log-in page. If the users click the link and try to log-in, their bank login credentials are stolen. Here is an example of the email text used in this particular attack:

———————————————————————————————————

Online banking

We're sorry but the service to your natwest online account
will be temporarily unavailable.

———————————————————————————————————

This is just one example of an attack strategy which has been in use for over 20 years known as Phishing. Phishing is everywhere, every day you hear about it and every time you connect to the internet, you are a potential victim of a phishing attack. Compared to most of the cyber-attacks performed, detected and announced to the world, phishing stands alone. When you hear about a new type of malware on the news, a few hours later, the threat is mitigated. If a new vulnerability is announced, it is patched immediately. However with all the attention and wide spread attempts at protection from phishing attacks, it still exists and is still a threat. Truth be told, phishing is the simplest kind of cyber-attack and at the same time, the most dangerous and effective. That is because it attacks the most vulnerable and powerful computer on the planet, the human mind.

Background

In case you are new to the internet, Phishing is a cyber-attack which attempts to obtain login credentials/credit card numbers/etc. by asking for this information under the guise of a trustworthy entity, usually through e-mail or messaging. It is most commonly seen through e-mail as a communication from a bank or other organization which the user probably uses, asking for login credentials or personal information to be confirmed or provided by the user. These e-mails always come with a link to the web page the user needs to conduct their business on. This link will almost always send the user to a ‘fake’ version of the legitimate website where all their credentials will be obtained and given to the attacker.

The term ‘phishing’ is a variation of ‘fishing’ in the sense that attackers ‘bait’ the user to click something or provide information. Since it’s considered a digital attack, the ‘f’ was changed to ‘ph’ just like ‘phreaking’ for hacking phones. The first phishing technique was reported to be in 1987 and the first use of the term ‘phishing’ was in 1995. Straying from the technical history, I want to mention that the basic concept behind phishing has been around probably for the entire extent of human history. For example, an alluring woman used to ‘bait’ a passerby into coming into a dark alley, where they would be mugged. Another example is a burglar who would pose as a maintenance person to gain entry into a house. They were exploiting the same vulnerabilities which phishing attacks use, enticing a human into entering into some vulnerable state with the promise of something pleasing or official. The only difference between then and now is the execution of the attack.

Different Cases

Over the years phishing attacks have changed, as with most things, and have been segmented into different groups of variants. However, the end goal is the same with all of them. This post series will go over various forms of phishing attacks including the most commonly seen email phishing to spear phishing and phishing seen on social networks.

Phishing Emails

To begin this series, we start with the most basic and commonly seen type of phishing attack, phishing emails. Phishing emails involve sending a fake email to a broad group of users which are unique enough to be used as ‘bait’ but broad enough to possibly fool a large amount of people. These emails historically pose as account update notifications from:

Banks

Online Auction Sites

Social Networks

However, once the user clicks the link included in the e-mail which advertises a direct link to an ‘Account Log-in’ or ‘Account Update’ form, they are directed to a page which looks identical to what you would normally see if you were actually on the web site of the assumed organization. In reality, the page is being hosted through a separate web server and the information plugged into the forms will be sent to the attacker rather than the actual organization.

Bank Phishing

One of the more recent phishing schemes caught by our researchers involved trying to steal the login information of Tesco Online Banking users. The user would receive an e-mail from a spoofed e-mail address, instructing them to update their bank profile by clicking on an included link. The link would send them to the login page for Tesco where they would enter their information. This information would then be sent to the e-mail address of the spammer rather than Tesco authentication servers.

Here are a few screenshots of what the fake Tesco phishing page looks like and what the real Tesco login page looks like:

Security Tip: One way to determine whether or not a site is legit is to check the area next to your address bar in your browser, if you see green or a lock or something like that; hover over it and your browser will tell you whether or not the page is verified. This, however, can be faked and therefore it is recommended to employ some of the other methods discussed in this series for protecting yourself.

eBay Phishing

One of the most common phishing targets are users of eBay, which makes up a large portion of the population. It involves sending an e-mail like the one discussed in the Tesco example and attempting to retrieve user login credentials for eBay accounts.

Here is a side-by-side comparison of the legitimate eBay login page and a phishing page obtained from PhishTank.com

How can you protect yourself?

Phishing Attacks can fail by simply keeping an awareness of computer security practices in your mind whenever you check your email, read Facebook posts or play your favorite online game. Here is a list of a few of the most important tactics to keeping your information safe:

Don’t open e-mails from senders you are not familiar with.

Don’t ever click on a link inside of an e-mail unless you know exactly where it is going.

To layer that protection, if you get an e-mail from a source you are unsure of, navigate to the provided link manually by entering the legitimate website address into your browser.

Look out for the digital certificate of a website

If you are asked to provide sensitive information, be sure to check and make sure that the URL of the page starts with ‘HTTPS’ instead of just ‘HTTP.

This is important not only for securing yourself against phishing attacks but also, ‘HTTP’ can be intercepted by hackers watching your network connection.

If you suspect the legitimacy of an e-mail, take some of its text or names used in it and type it into your search engine to see if any known phishing attacks exist using the same methods.

Obtain ‘Password Manager’ tools which can auto-fill login information for you, if you navigate to a page which you had been to before, the fields should be filled in. If they are not, you may be on a phishing page.

Conclusion

This portion of the series has only discussed the classic methods of phishing and the ones you will most likely see the most often. In the coming weeks, I will discuss different forms of phishing attacks which can be even more dangerous. The key to always remember is that while very dangerous and effective as a whole, you can defeat individual phishing attacks on your own without spending any money on hardware or software solutions, just be aware and keep your eyes open.

Next Week: Spear Phishing & Phishing in Social Networking

http://www.facebook.com/robt.oeser robertoeser

Hope I don’t miss next weeks’s blog on phishing in social networking. Just ran across the following Facebook page: https://www.facebook.com/LocalBratt — it tried to like a page I administer. The best thinking amongst us is the the page was set up to phish for contacts to sell hosting services to. Any thoughts?

Adam Kujawa

The Facebook page you referenced is for an Online Business Directory for the Local area of Brattleboro, VT. After checking out their Facebook page and website, I didn’t see anything malicious. I think their plan is to like as many other businesses as they can with the hope that the businesses will like them back. In doing so, the online directory will be able to post new business Ads for their customers to a large group of other businesses and individuals. Do you live/work in Brattleboro, because this would make more sense then. Thanks for the comment!